Internet Identity Workshop IIW 2008b Introduction Johannes Ernst - - PowerPoint PPT Presentation

Johannes Ernst NetMesh Inc. http://netmesh.info/jernst

Johannes Ernst

Internet Identity Workshop IIW 2008b – Introduction –

Johannes Ernst

Modern Identity History

Proprietary URL-based Card-based Invisible 1999 2001 2005 2007 2009 2003 Facebook et al. Age of identity interop Yadis IIW

Johannes Ernst

Identity’s Three Pillars

Digital Identity Invisible

Source: http://netmesh.info/jernst/Digital_Identity/updating-three-standards.html

Proprietary

Card- based URL- based

user- centric

Johannes Ernst

Relying Party Relying Party Relying Party

Authentication

Identity Provider Identity Identity Is this true? Yes.

The Basic User-Centric Flow

Johannes Ernst

Authentication

Identity Provider

Comparison: Non-User-Centric Flow

Relying Party Relying Party Relying Party Tell me about this user. Identity

Johannes Ernst

Authentication

Comparison: Stovepiped Identity

Relying Party Identity Provider Relying Party Identity Provider

?

…

Johannes Ernst

Relying Party Relying Party Relying Party

Authentication

Identity Provider Identity Identity

The Basic User-Centric Flow

Is this true? Yes.

Johannes Ernst

Who is this guy speaking right now?

Please enter your OpenID here:

http://netmesh.info/jernst

• globally unique user name, no name conflicts
• is also a link

Johannes Ernst

Johannes Ernst

Who is this guy speaking right now?

Please enter your OpenID here:

http://netmesh.info/jernst

• globally unique user name, no name conflicts
• is also a link
• many value-added services a springing up, example:
• Technorati
• del.icio.us
• Identity aggregators like claimid.com
• Google social graph API

Johannes Ernst

Johannes Ernst

Source: http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html

Johannes Ernst

About Myself

• Founder/CEO NetMesh Inc.
• Pioneered URL-based digital identity with LID™
• Board member, OpenID Foundation
• Co-initiator, Open-Source Identity System (OSIS)
• Co-initiated Yadis, the first user-centric identity convergence project
• Advisory board member, Health 2.0 conference
• Contributor to UML; initiator of the Object Management Group’s RT-AD effort
• BMW, FZI, MSR, Integrated Systems, Aviatis
• World Economic Forum “Technology Pioneer”
• Doctorate, EE
• Frequent speaker: Digital ID World, European Identity Conference, Comdex, PC Forum, Mix,

OSCON, ETel, SDForum, UML World, Emerging Communications, Harvard, World Econonic Forum…

http://netmesh.info/jernst blog

Johannes Ernst

“My users will keep entering all the information that I ask for.” “They always have, I don’t see the need to do anything.”

Johannes Ernst

Johannes Ernst

“Users in Charge” (Esther Dyson)

Industrial mass production model Web 2.0, user-centric model

Johannes Ernst

Kim Cameron’s Laws of Identity

• 1. User Control & Consent
• …only reveal information identifying a user

with the user’s consent

• 2. Minimal Disclosure for a

Constrained Use

• …discloses the least identifying information
• 3. Fewest/Justifiable Parties
• …disclosure of identifying information is

limited to necessary and justifiable parties.

• 4. Directed Identity
• …both “omnidirectional” and

“unidirectional” identifiers, thus facilitating discovery while preventing unnecessary release of correlation handles

• 5. Pluralism of

Operators & Technologies

• …enable the interworking of multiple

identity technologies run by multiple identity providers.

• 6. Human Integration
• …human user to be a component of the

distributed system integrated through unambiguous human-machine communication

• 7. Consistent Experience

Across Contexts

• …simple, consistent experience while

enabling separation of contexts through multiple operators and technologies.

Source: http://www.identityblog.com/stories/2004/12/09/thelaws.html

Johannes Ernst

Customer Trust

No Trust Trust They do something with my identity behind my back I choose how much information to reveal … and I can take it back and “switch it

• ff” at any time

Traditional marketing User-centric (future) VRM VRM

Johannes Ernst

}

Net Result: More Business

Your website Potential customers Successfully filled

• ut forms and

logged on [hopeless] Do we want them as customers? Won’t or can’t fill out forms or log on, but will do With user-centric identity you can get them!

Johannes Ernst

Competitor’s website Your website

Competitive Effects

}[hopeless]{

$ $ $ $ $ $ $ $

Johannes Ernst

Customers (1000’s and more) Customers (1000’s and more) Affiliates (100’s) Affiliates (100’s)

User-Centric “Sweet Spot”

Close business partners (<10) Enterprise internal 1 2 3 4 Everybody else Tier

Source: http://netmesh.info/jernst/Digital_Identity/concentric-circles-2008.html

Do we want them as customers? Do we want them as repeat customers? Do we want them to do business with us

• r the competition?

Johannes Ernst

Relying Party Relying Party Relying Party

Authentication

Identity Identity Is this true? Yes.

Outsource Authentication

Authentication

Identity Provider Relying Party Identity Provider

Cost (old-style): Password management + Password reset + Anti-phishing + Backup tape risk / management $$$ or €€€ Cost (user-centric): Key/secret management + Password reset + Anti-phishing + Backup tape risk / management + free authentication from major IdP $$ or €€

Johannes Ernst

Affording Strong Authentication

Relying Party Relying Party Relying Party Strong Authentication Identity Identity Provider

Strong Authentication

Relying Party Identity Provider

Strong Authentication

Relying Party Identity Provider … …

“Shared token”

• All relying parties benefit from the added security of the same token
• Higher security at lower cost through cost sharing, enabled by

internet-scale common protocols

• Much more convenient for the user: one token, not N
• Works the same for other strong auth:

✦ voice, ✦ biometrics, ✦ client certs etc.

Johannes Ernst NetMesh Inc. http://netmesh.info/jernst

Johannes Ernst

Internet Identity Workshop IIW 2008b Thank you for your time!